Compare commits
8 Commits
mob/norepl
...
whitehouse
| Author | SHA1 | Date | |
|---|---|---|---|
| be25560858 | |||
| e4bf326191 | |||
| 04fafa32d3 | |||
| ed4e045ffc | |||
| fd6edd83c2 | |||
| 65faa70fa3 | |||
| 377b63437c | |||
| 43e8252459 |
2
.gitignore
vendored
2
.gitignore
vendored
@@ -2,4 +2,4 @@
|
||||
# Ignore build outputs from performing a nix-build or `nix build` command
|
||||
result
|
||||
result-*
|
||||
|
||||
run-vm-*
|
||||
|
||||
19
flake.lock
generated
19
flake.lock
generated
@@ -136,6 +136,24 @@
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"liminix": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1760426231,
|
||||
"narHash": "sha256-r8c5PKtsxAvtQ/k17GH+WNvP47Lr+AbExLMPdLtvAKE=",
|
||||
"ref": "refs/heads/fix-gl-ar750",
|
||||
"rev": "3f1f7c08d440130cce9262a93ce78ed7969d93cd",
|
||||
"revCount": 1574,
|
||||
"type": "git",
|
||||
"url": "https://git.b4l.co.th/newedge/liminix"
|
||||
},
|
||||
"original": {
|
||||
"ref": "refs/heads/fix-gl-ar750",
|
||||
"rev": "3f1f7c08d440130cce9262a93ce78ed7969d93cd",
|
||||
"type": "git",
|
||||
"url": "https://git.b4l.co.th/newedge/liminix"
|
||||
}
|
||||
},
|
||||
"nix-darwin": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
@@ -207,6 +225,7 @@
|
||||
"devshell": "devshell",
|
||||
"flake-parts": "flake-parts",
|
||||
"import-tree": "import-tree",
|
||||
"liminix": "liminix",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"treefmt-nix": "treefmt-nix"
|
||||
}
|
||||
|
||||
@@ -21,6 +21,10 @@
|
||||
url = "github:numtide/treefmt-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
liminix = {
|
||||
url = "git+https://git.b4l.co.th/newedge/liminix?ref=refs/heads/fix-gl-ar750&rev=3f1f7c08d440130cce9262a93ce78ed7969d93cd";
|
||||
flake = false;
|
||||
};
|
||||
};
|
||||
outputs =
|
||||
{
|
||||
@@ -38,6 +42,7 @@
|
||||
./shell.nix
|
||||
|
||||
./machines
|
||||
./routers
|
||||
./inventories
|
||||
./modules/clan/flake-module.nix
|
||||
];
|
||||
|
||||
@@ -1,19 +1,7 @@
|
||||
{
|
||||
inputs,
|
||||
self,
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
{
|
||||
clan = {
|
||||
inventory = {
|
||||
|
||||
machines = {
|
||||
rigel.deploy.targetHost = "root@rigel.local";
|
||||
vega.deploy.targetHost = "root@vega.local";
|
||||
};
|
||||
|
||||
tags = {
|
||||
glom = [ "vega" ];
|
||||
b4l = [ "rigel" ];
|
||||
@@ -73,7 +61,6 @@
|
||||
input = "self";
|
||||
};
|
||||
roles.default.machines.b4l = { };
|
||||
roles.default.machines.vega = { };
|
||||
};
|
||||
stirling-pdf = {
|
||||
module = {
|
||||
|
||||
@@ -1,13 +1,16 @@
|
||||
{ config, ... }:
|
||||
{
|
||||
imports = [
|
||||
(import ../../lib/auto-accept-zerotier-members.nix {
|
||||
memberIds = [
|
||||
"dbe44c0287" # Alex-gateway
|
||||
"1b495eede9" # kurogeek-thinkpad
|
||||
"b0e0b84fd3" # Alex
|
||||
"2bd36db8cc" # kurogeek-thinkpad
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
system.stateVersion = "25.11";
|
||||
clan.core.sops.defaultGroups = [ "admins" ];
|
||||
clan.core.networking.targetHost = "root@[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]";
|
||||
}
|
||||
|
||||
@@ -10,12 +10,14 @@
|
||||
(import ../../lib/auto-accept-zerotier-members.nix {
|
||||
memberIds = [
|
||||
"dbe44c0287" # Alex-gateway
|
||||
"1b495eede9" # kurogeek-thinkpad
|
||||
"b0e0b84fd3" # Alex
|
||||
"2bd36db8cc" # kurogeek-thinkpad
|
||||
];
|
||||
})
|
||||
];
|
||||
|
||||
clan.core.sops.defaultGroups = [ "admins" ];
|
||||
clan.core.networking.targetHost = "root@[${config.clan.core.vars.generators.zerotier.files.zerotier-ip.value}]";
|
||||
|
||||
nixpkgs.hostPlatform = {
|
||||
system = "x86_64-linux";
|
||||
|
||||
@@ -1,34 +0,0 @@
|
||||
{ config, pkgs, ... }:
|
||||
let
|
||||
# ncDomain = "${config.clan.core.vars.generators.vega-nextcloud.files.subdomain.value}.${config.networking.fqdn}";
|
||||
ncDomain = "${config.networking.fqdn}";
|
||||
in
|
||||
{
|
||||
clan.core.vars.generators.vega-nextcloud = {
|
||||
files.subdomain.secret = false;
|
||||
|
||||
prompts = {
|
||||
subdomain = {
|
||||
persist = true;
|
||||
type = "line";
|
||||
description = "Sub-domain for Nextcloud app. Default:(cloud)";
|
||||
};
|
||||
};
|
||||
|
||||
script = ''cat $prompts/subdomain || echo -n "cloud" > $out/subdomain'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [
|
||||
80
|
||||
443
|
||||
];
|
||||
|
||||
services.nextcloud = {
|
||||
hostName = ncDomain;
|
||||
package = pkgs.nextcloud31;
|
||||
};
|
||||
# services.nginx.virtualHosts."${ncDomain}" = {
|
||||
# # useACMEHost = "${config.networking.fqdn}";
|
||||
# # forceSSL = true;
|
||||
# };
|
||||
}
|
||||
93
machines/vega/services/samba.nix
Normal file
93
machines/vega/services/samba.nix
Normal file
@@ -0,0 +1,93 @@
|
||||
{
|
||||
config,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
sambaUser = lib.filterAttrs (
|
||||
name: user: user.isNormalUser && builtins.elem "samba" user.extraGroups
|
||||
) config.users.users;
|
||||
|
||||
sharedFolders = {
|
||||
GLOM.users = [
|
||||
"w"
|
||||
"kurogeek"
|
||||
"berwn"
|
||||
];
|
||||
};
|
||||
in
|
||||
{
|
||||
|
||||
services.samba = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
global = {
|
||||
security = "user";
|
||||
workgroup = "WORKGROUP";
|
||||
"server string" = "Glom Vega";
|
||||
interfaces = "eth* en*";
|
||||
"max log size" = "50";
|
||||
"dns proxy" = false;
|
||||
"syslog only" = true;
|
||||
"map to guest" = "Bad User";
|
||||
"guest account" = "nobody";
|
||||
};
|
||||
}
|
||||
// lib.mapAttrs (share: opts: {
|
||||
path = "/mnt/hdd/samba/${share}";
|
||||
comment = share;
|
||||
"force user" = share;
|
||||
"force group" = share;
|
||||
public = "yes";
|
||||
"guest ok" = "yes";
|
||||
"create mask" = "0640";
|
||||
"directory mask" = "0750";
|
||||
writable = "no";
|
||||
browseable = "yes";
|
||||
printable = "no";
|
||||
# TODO
|
||||
# "valid users" = toString opts.users;
|
||||
}) sharedFolders;
|
||||
};
|
||||
|
||||
users.users = lib.mapAttrs (share: opts: {
|
||||
isSystemUser = true;
|
||||
group = share;
|
||||
}) sharedFolders;
|
||||
|
||||
users.groups = lib.mapAttrs (share: opts: { }) sharedFolders;
|
||||
|
||||
systemd.services.samba-smbd.postStart =
|
||||
lib.concatMapStrings (
|
||||
user:
|
||||
let
|
||||
password = config.clan.core.vars.generators."${user}-smb-password".files.password.path;
|
||||
in
|
||||
''
|
||||
mkdir -p /mnt/hdd/samba/${user}
|
||||
chown ${user}:users /mnt/hdd/samba/${user}
|
||||
# if a password is unchanged, this will error
|
||||
(echo $(<${password}); echo $(<${password})) | ${config.services.samba.package}/bin/smbpasswd -s -a ${user}
|
||||
''
|
||||
) (lib.attrNames sambaUser)
|
||||
+ lib.concatMapStrings (share: ''
|
||||
mkdir -p /mnt/hdd/samba/${share}
|
||||
chown ${share}:${share} /mnt/hdd/samba/${share}
|
||||
'') (lib.attrNames sharedFolders);
|
||||
|
||||
services.samba-wsdd = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
|
||||
services.avahi = {
|
||||
publish.enable = true;
|
||||
publish.userServices = true;
|
||||
# ^^ Needed to allow samba to automatically register mDNS records (without the need for an `extraServiceFile`
|
||||
nssmdns4 = true;
|
||||
# ^^ Not one hundred percent sure if this is needed- if it aint broke, don't fix it
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
};
|
||||
}
|
||||
9
routers/default.nix
Normal file
9
routers/default.nix
Normal file
@@ -0,0 +1,9 @@
|
||||
{ inputs, ... }:
|
||||
{
|
||||
flake.legacyPackages = {
|
||||
whitehouse-router = import "${inputs.liminix}/default.nix" {
|
||||
device = (import "${inputs.liminix}/devices/gl-ar750");
|
||||
liminix-config = import ./white-house/configuration.nix { inherit inputs; };
|
||||
};
|
||||
};
|
||||
}
|
||||
120
routers/white-house/configuration.nix
Normal file
120
routers/white-house/configuration.nix
Normal file
@@ -0,0 +1,120 @@
|
||||
{ inputs }:
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
modulesPath,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
secrets = {
|
||||
firewallRules = { };
|
||||
}
|
||||
// (import ./secrets.nix);
|
||||
wirelessConfig = {
|
||||
country_code = "TH";
|
||||
inherit (secrets) wpa_passphrase;
|
||||
wmm_enabled = 1;
|
||||
};
|
||||
svc = config.system.service;
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
"${inputs.liminix}/modules/wlan.nix"
|
||||
"${inputs.liminix}/modules/network"
|
||||
"${inputs.liminix}/modules/vlan"
|
||||
"${inputs.liminix}/modules/ssh"
|
||||
"${inputs.liminix}/modules/bridge"
|
||||
"${modulesPath}/profiles/gateway.nix"
|
||||
];
|
||||
|
||||
hostname = "whitehouse";
|
||||
boot = {
|
||||
tftp = {
|
||||
freeSpaceBytes = 3 * 1024 * 1024;
|
||||
serverip = "${secrets.lan.prefix}.148";
|
||||
ipaddr = "${secrets.lan.prefix}.251";
|
||||
};
|
||||
};
|
||||
|
||||
services.sshd = svc.ssh.build {
|
||||
authorizedKeys.root = secrets.root.openssh.authorizedKeys.keys;
|
||||
};
|
||||
|
||||
users.root = secrets.root;
|
||||
|
||||
services.resolvconf = lib.mkForce (
|
||||
pkgs.liminix.services.oneshot rec {
|
||||
name = "resolvconf";
|
||||
up = ''
|
||||
( in_outputs ${name}
|
||||
echo "nameserver $(output ${config.services.wan} ns1)" > resolv.conf
|
||||
echo "nameserver $(output ${config.services.wan} ns2)" >> resolv.conf
|
||||
chmod 0444 resolv.conf
|
||||
)
|
||||
'';
|
||||
}
|
||||
);
|
||||
|
||||
profile.gateway = {
|
||||
lan = {
|
||||
interfaces = with config.hardware.networkInterfaces; [
|
||||
wlan
|
||||
wlan5
|
||||
lan
|
||||
];
|
||||
inherit (secrets.lan) prefix;
|
||||
address = {
|
||||
family = "inet";
|
||||
address = "${secrets.lan.prefix}.1";
|
||||
prefixLength = 24;
|
||||
};
|
||||
dhcp = {
|
||||
start = 10;
|
||||
end = 240;
|
||||
hosts = { };
|
||||
localDomain = "lan";
|
||||
};
|
||||
};
|
||||
wan = {
|
||||
interface = svc.pppoe.build {
|
||||
interface = config.hardware.networkInterfaces.wan;
|
||||
username = secrets.l2tp.name;
|
||||
password = secrets.l2tp.password;
|
||||
};
|
||||
|
||||
dhcp6.enable = true;
|
||||
};
|
||||
firewall = {
|
||||
enable = true;
|
||||
rules = secrets.firewallRules;
|
||||
};
|
||||
wireless.networks = {
|
||||
|
||||
"${secrets.ssid}" = {
|
||||
interface = config.hardware.networkInterfaces.wlan;
|
||||
hw_mode = "g";
|
||||
channel = "2";
|
||||
ieee80211n = 1;
|
||||
}
|
||||
// wirelessConfig;
|
||||
"${secrets.ssid}-5" = rec {
|
||||
interface = config.hardware.networkInterfaces.wlan5;
|
||||
hw_mode = "a";
|
||||
channel = 36;
|
||||
ht_capab = "[HT40+]";
|
||||
vht_oper_chwidth = 1;
|
||||
vht_oper_centr_freq_seg0_idx = channel + 6;
|
||||
ieee80211n = 1;
|
||||
ieee80211ac = 1;
|
||||
}
|
||||
// wirelessConfig;
|
||||
};
|
||||
};
|
||||
defaultProfile.packages = with pkgs; [
|
||||
busybox
|
||||
iw
|
||||
iptables
|
||||
];
|
||||
|
||||
}
|
||||
20
routers/white-house/secrets.nix
Normal file
20
routers/white-house/secrets.nix
Normal file
@@ -0,0 +1,20 @@
|
||||
{
|
||||
wpa_passphrase = "";
|
||||
ssid = "WhiteHouse";
|
||||
l2tp = {
|
||||
name = "";
|
||||
password = "";
|
||||
};
|
||||
root = {
|
||||
openssh.authorizedKeys.keys = [
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcZ/p1Ofa9liwIzPWzNtONhJ7+FUWd2lCz33r81t8+w kurogeek@kurogeek"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAB/raxJR8gASmquP63weHelbi+da2WBJR1DgzHPNz/f"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDuhpzDHBPvn8nv8RH1MRomDOaXyP4GziQm7r3MZ1Syk"
|
||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAmgyEGuY/r7SDlJgrzYmQqpcWS5W+fCzRi3OS59ne4W openpgp:0xFF687387"
|
||||
];
|
||||
};
|
||||
|
||||
lan = {
|
||||
prefix = "192.168.1";
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user